Voip

metallica1973 · 11-22-2005, 04:35 PM

How do have your network setup? Do you have it setup on its own DMZ. Do you use Lingo or what VOIP service do you use? I am so glad that I finally ran into somebody with this same headache. Please read my other posting

http://www.linuxquestions.org/questi...hreadid=382722

and try using this patchomatic fix for netfilter

http://people.netfilter.org/chentsch...track-nat.html

http://www.netfilter.org/patch-o-mat...-conntrack-nat

You need kernel 2.6+ for this patch to work and then apply this rules ex.

Using sip-conntrack-nat

Once you've recompiled the kernel, make sure you load the modules.

Wookie:/home/chentschel#modprobe ip_conntrack_sip ip_nat_sip Wookie:/home/chentschel# lsmod | grep ip_nat_sip ip_nat_sip 4288 0 ip_conntrack_sip 6544 1 ip_nat_sip iptable_nat 20444 1 ip_nat_sip ip_conntrack 38808 3 ip_nat_sip,ip_conntrack_sip,iptable_nat Wookie:/home/chentschel#

Netfilter will take care of the conntracking and NAT of SIP packets now, but don't forget the iptables rules. Examples as follows:

Set iptables rules to allow UDP packets on port 5060:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p udp --dport 5060 -j ACCEPT

And NAT as follows:
iptables -A FORWARD -o eth0 -p udp --dport 5060 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 200.68.89.15

I hope this helps! Please let me know if you get this working because then I need some help
enyawix

enyawix · 11-23-2005, 01:09 PM

My setup is a two NIC Ipcop firewall with small mods by hand. Changes by hand = blocked class A, B, & C private, D mulicast, and E reserved addresses. Also added a small black list "known spy-ware companies".

metallica1973 · 11-23-2005, 03:39 PM

when you figure it out please let me know how you got it to work! I am in the process of upgrading my kernel to 2.6+ and applying these patchomatics. keep me updated. This is driving me crazy!

enyawix · 12-04-2005, 03:29 PM

I was not thinking iptables filters based on first match. Explicit DROP and ACCEPT must accrue before general rules or the packet will be match to a general rule.

iptables -I INPUT -s 66.147.224.0/20 -j ACCEPT

iptables -I FORWARD -s 66.147.224.0/20 -j ACCEPT

Your nat chain has same issue.

Use

iptables -I FORWARD -o eth0 -p udp --dport 5060 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 200.68.89.15

Not

iptables -A FORWARD -o eth0 -p udp --dport 5060 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 200.68.89.15

metallica1973 · 12-05-2005, 08:50 PM

I will try this. I get back to you thanks.

metallica1973 · 12-07-2005, 12:49 PM

Can you post your VOIP rules

INPUT

POSTROUTING

PREROUTING

FORWARD

Chains so that I can compare! thanks